Basic concepts and fundamentals of ACLs

This tutorial explains the basic concepts and fundamentals of access control lists. Learn the factors that affect ACL implementation such as location, direction, order, inbound and outbound.

An access control list (ACL) is a set of statements. Each statement consists of criteria and actions. Criteria define the conditions for the actions. When the defined conditions are matched, the related actions are executed. Routers use ACLs to filter packets. When a packet enters or exits the router, the router checks the statements of the applied ACL in sequential order to find a match. If the router finds a match, the router executes the corresponding action. If the router does not find a match, the router discards the packet.

An ACL works only if it is applied to the correct interface in the correct direction. In this part, we will discuss the factors that affect ACL implementation.

Location

Access lists are applied to interfaces. For example, if a router has two interfaces, you can apply different access lists to both interfaces. An interface can only use its ACL to filter the traffic that passes through it. It can't use the ACL of the other interface. If you apply an ACL to an interface that does not process targeted traffic, that ACL will not work.

An ACL acts as a sieve. Just as a sieve uses its mesh to filter out liquid or small particles from a mixture, an ACL uses its statements to filter out the desired packets. A sieve can filter the mixture only when you pass the mixture through it. Similarly, an ACL can filter traffic only if traffic is processed through it.

Let's understand this through an example. The following image shows a simple network.

In this network, three segments are connected through the router. Without any ACL, all segments can access each other. Now, the administrator wants to prevent the Staff segment from accessing the Server segment. For this, he created an ACL and applied it to the F0/1 interface. The following image shows this implementation.

Will this ACL work?

No, instead of blocking the Staff segment, this ACL will block the Administrators segment. The F0/1 interface connects the Administrators segment to the Server segment. To access the Server segment, the traffic of the Staff segment neither enters nor exits from the F0/1 interface. Since the traffic of the Staff segment does not interact with the F0/1 interface, the ACL applied to the F0/1 interface does not affect it.

Now you know, how the location of the ACL affects the ACL implementation.

Can you guess the correct location for this ACL?

You can apply this ACL to either the F0/0 interface or the F0/2 interface. The following image shows the correct implementation of the ACL.

When implementing an ACL on an interface, make sure that the interface interacts with the targeted traffic. If the targeted traffic does not pass through it, the ACL will not work.

Direction

When a router receives a packet on its interface, it reads the destination address of the packet and forwards the packet from the interface that is connected to the destination address.

We can divide this process into three phases. These phases are entry, process, and exit. In the first phase, the packet enters the router. In the second phase, the router processes the packet. In the third phase, the packet exits the router.

We can apply an ACL before the first phase and the third phase. If we apply the ACL before the first phase, the router will process the incoming packets through the ACL. If we apply the ACL before the third phase, the router will process the outgoing packets through the ACL. We can’t apply an ACL before and after the second phase.

Inbound and Outbound ACLs

If you use an ACL to filter incoming traffic, it is called an inbound ACL. If you use an ACL to filter outgoing traffic, it is called an outbound ACL. An inbound ACL cannot filter the outgoing traffic whereas an outbound ACL cannot filter the incoming traffic.

Let's take our example back to understand the effect of the direction on the ACL. To prevent the Staff segment from accessing the Server segment, the administrator applied the outbound ACL to the F0/0 interface.

Although the administrator has applied the ACL to the F0/0 interface, yet the Staff segment can access the Server.

Can you guess what's wrong with this implementation?

The following image shows the new ACL implementation.

The F0/0 interface is the default gateway of the Staff segment. It receives traffic from the Staff segment and forwards it to the Server segment. The F0/0 interface is the entry point of traffic.

The administrator applied the outbound ACL to filter the incoming traffic. The traffic of the Staff segment enters the F0/0 interface. It does not exit the F0/0 interface. An outbound ACL can't filter the incoming traffic.

The administrator can fix this problem in two ways. He can apply an inbound ACL to the F0/0 interface, or he can apply an outbound ACL to the F0/2 interface. The following image shows the first solution.

Order

Once the access list is implemented, the router processes each packet through the access list. For each packet, the router checks each entry in the access list from top to bottom until a match is found. Once a match is found, the router executes the corresponding action. It does not check the remaining entries for that packet. If an access list has multiple entries for the same packet, the router will only execute the action of the first entry from the top.

If you want to allow only some hosts from a network, you should add the allow statements first in the ACL. If you add an allow statement below the deny statement of the same criteria, the allow statement will never execute.

Let's understand it through our example. The administrator wants to allow only the host 10.0.0.10/8 from the 10.0.0.0/8 network to access the Server segment. For this, he created the following ACL.

Deny all
Allow 10.0.0.10/8

The administrator applied this ACL to the F0/0 interface in the inbound direction. Afterward, all traffic from the Staff section has blocked. Even the host 10.0.0.10/8 has an allowed entry, still the host can't access the Server segment.

Can you guess why this ACL is not working?

The following image show this ACL implementation.

When the packets from the host 10.0.0.10 enter the F0/0 interface, the interface checks the applied ACL. The first statement of the ACL says "deny all incoming traffic". Since this criterion matches all incoming packets, the interface never checks the next statement for any incoming packet. It always executes the action of the first statement. Since the action of the first statement is the 'deny all', all incoming packets are denied.

To fix this issue, the administrator needs to put the allowed statement before the deny statement. The correct ACL is the following.

Allow 10.0.0.10/8
Deny all

The following image shows the implementation of the correct ACL.

Now, when packets from the host 10.0.0.10/8 enter the F0/0 interface, the interface will allow them. But if it receives packets from other hosts, it will discard them. Let's understand why this will happen.

When a packet enters the interface, the interface checks the ACL. The first statement of the ACL is for the host 10.0.0.10/8. The interface will check the source address of the packet. If the source address of the packet is 10.0.0.10/8. The interface will execute the action of the first statement. The action of the first statement is 'allow'. Because of this, the packet will be allowed.

If the source address of the packet is not 10.0.0.10/8, the interface will check the next statement. The next statement is 'deny all'. This will match all incoming packets. The action of the second statement is 'deny all'. Because of this, the packet will be discarded.

Thus, apart from the packets of the host 10.0.0.10/8, all incoming packets will be discarded.

Watch Video Edition of this Tutorial

That’s all for this tutorial. In this tutorial, we discussed how location, direction and order affect an ACL. In the next tutorial, we will discuss how ACL works.